Go Back   HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials > Linux Forums > Installation/Configuration

Do you like HowtoForge? Please consider supporting us by becoming a subscriber.
Reply
 
Thread Tools Display Modes
  #1  
Old 21st May 2010, 18:11
MET MET is offline
Junior Member
 
Join Date: May 2010
Posts: 10
Thanks: 0
Thanked 0 Times in 0 Posts
Default Fail2ban (without iptables) doesn't work, why?

My externally hosted vserver runs with Debian lenny stable. Fail2ban 0.8.3 (and iptables) have been installed with the package-manager. The intention is to use fail2ban with the messages-file from asterisk, i.e. without iptables. The configuration files for fail2ban are according this howto.

When I start fail2ban with
/etc/init.d/fail2ban start
no further information is given, so I thought it would work. Later I questioned whether it would require beforehand a
/etc/init.d/fail2ban reload
or a
/etc/init.d/fail2ban restart
and in both of these cases I obtain each time the result "failed!"

How could I find out what is going wrong?

Note: I'm not very familiar with Linux, I only use it in the context of the asterisk.
Reply With Quote
Sponsored Links
  #2  
Old 22nd May 2010, 12:35
MET MET is offline
Junior Member
 
Join Date: May 2010
Posts: 10
Thanks: 0
Thanked 0 Times in 0 Posts
Default

Fail2Ban works now. The reload has to be done with

/usr/bin/fail2ban-client reload

and not with
/etc/init.d/fail2ban reload
(as mentioned in the howto from Voip-Info.org)

However, the log indicates that there is still an issue with the mail message (address changed here):
Quote:
2010-05-22 11:57:10,435 fail2ban.actions.action: ERROR printf %b "Hi,\n
The jail ASTERISK has been started successfully.\n
Regards,\n
Fail2Ban"|mail -s "[Fail2Ban] ASTERISK: started" Me@My.com returned 7f00
Any ideas why the mail-message doesn't work? The mail address is on a different server. Could this be the reason?
Reply With Quote
  #3  
Old 22nd May 2010, 14:34
falko falko is offline
Super Moderator
 
Join Date: Apr 2005
Location: Lüneburg, Germany
Posts: 41,701
Thanks: 1,900
Thanked 2,741 Times in 2,575 Posts
Default

Can you post your /etc/fail2ban/jail.conf?
__________________
Falko
--
Download the ISPConfig 3 Manual! | Check out the ISPConfig 3 Billing Module!

FB: http://www.facebook.com/howtoforge

nginx-Webhosting: Timme Hosting | Follow me on:
Reply With Quote
The Following User Says Thank You to falko For This Useful Post:
PDXErik (25th May 2010)
  #4  
Old 22nd May 2010, 15:51
MET MET is offline
Junior Member
 
Join Date: May 2010
Posts: 10
Thanks: 0
Thanked 0 Times in 0 Posts
Default

Quote:
Originally Posted by falko View Post
Can you post your /etc/fail2ban/jail.conf?
Note that I tried with different mail-addresses. None of them is hosted on the same server:
Code:
# Fail2Ban configuration file
...
# $Revision: 747 $
...

[DEFAULT]

bantime  = 600
findtime  = 600
maxretry = 3
backend = auto


[asterisk-iptables]

enabled  = true
filter   = asterisk
action   = hostsdeny[name=ASTERISK, protocol=all]
           mail-whois[name=ASTERISK, dest=Me@My1stDomain.com, sender=Me@My2ndDomain.com]
logpath  = /var/log/asterisk/messages
# maxretry = 5
# bantime = 259200
maxretry = 3
findtime = 300
bantime = 600

...
all other entries have: enabled=false
Reply With Quote
  #5  
Old 22nd May 2010, 17:06
MET MET is offline
Junior Member
 
Join Date: May 2010
Posts: 10
Thanks: 0
Thanked 0 Times in 0 Posts
Default Fail2Ban fails to ban !

I just had an other an other attack. The settings in jail.conf were for manual testing as sent before:

maxretry = 3
findtime = 300
bantime = 600

The log files show the following:

Asterisk
Code:
[2010-05-22 16:04:05] NOTICE[29225] chan_sip.c: Registration from '"1249349713"<sip:1249349713@12.34.56.78>' failed for '76.76.96.74' - No matching peer found
[2010-05-22 16:04:05] NOTICE[29225] chan_sip.c: Registration from '"100"<sip:100@12.34.56.78>' failed for '76.76.96.74' - No matching peer found
[2010-05-22 16:04:05] NOTICE[29225] chan_sip.c: Registration from '"101"<sip:101@12.34.56.78>' failed for '76.76.96.74' - No matching peer found
[2010-05-22 16:04:05] NOTICE[29225] chan_sip.c: Registration from '"102"<sip:102@12.34.56.78>' failed for '76.76.96.74' - No matching peer found
[2010-05-22 16:04:05] NOTICE[29225] chan_sip.c: Registration from '"103"<sip:103@12.34.56.78>' failed for '76.76.96.74' - No matching peer found
[2010-05-22 16:04:05] NOTICE[29225] chan_sip.c: Registration from '"104"<sip:104@12.34.56.78>' failed for '76.76.96.74' - No matching peer found
....
[2010-05-22 16:12:58] NOTICE[29225] chan_sip.c: Registration from '"9994"<sip:9994@12.34.56.78>' failed for '76.76.96.74' - No matching peer found
[2010-05-22 16:12:58] NOTICE[29225] chan_sip.c: Registration from '"9995"<sip:9995@12.34.56.78>' failed for '76.76.96.74' - No matching peer found
[2010-05-22 16:12:58] NOTICE[29225] chan_sip.c: Registration from '"9996"<sip:9996@12.34.56.78>' failed for '76.76.96.74' - No matching peer found
[2010-05-22 16:12:58] NOTICE[29225] chan_sip.c: Registration from '"9997"<sip:9997@12.34.56.78>' failed for '76.76.96.74' - No matching peer found
[2010-05-22 16:12:58] NOTICE[29225] chan_sip.c: Registration from '"9998"<sip:9998@12.34.56.78>' failed for '76.76.96.74' - No matching peer found
[2010-05-22 16:12:58] NOTICE[29225] chan_sip.c: Registration from '"9999"<sip:9999@12.34.56.78>' failed for '76.76.96.74' - No matching peer found
Fail2ban:
Code:
2010-05-22 16:04:06,632 fail2ban.actions: WARNING [asterisk-iptables] Ban 76.76.96.74
2010-05-22 16:04:09,130 fail2ban.actions.action: ERROR  printf %b "Hi,\n
The IP 76.76.96.74 has just been banned by Fail2Ban after
11 attempts against ASTERISK.\n\n
Here are more information about 76.76.96.74:\n
`whois 76.76.96.74`\n
Regards,\n
Fail2Ban"|mail -s "[Fail2Ban] ASTERISK: banned 76.76.96.74" Me@My.net returned 7f00
2010-05-22 16:04:09,130 fail2ban.actions: WARNING [asterisk-iptables] 76.76.96.74 already banned
2010-05-22 16:04:10,133 fail2ban.actions: WARNING [asterisk-iptables] 76.76.96.74 already banned
2010-05-22 16:04:11,132 fail2ban.actions: WARNING [asterisk-iptables] 76.76.96.74 already banned
2010-05-22 16:04:12,132 fail2ban.actions: WARNING [asterisk-iptables] 76.76.96.74 already banned
2010-05-22 16:04:13,132 fail2ban.actions: WARNING [asterisk-iptables] 76.76.96.74 already banned
2010-05-22 16:04:14,132 fail2ban.actions: WARNING [asterisk-iptables] 76.76.96.74 already banned
2010-05-22 16:04:15,133 fail2ban.actions: WARNING [asterisk-iptables] 76.76.96.74 already banned
2010-05-22 16:04:16,133 fail2ban.actions: WARNING [asterisk-iptables] 76.76.96.74 already banned
2010-05-22 16:04:17,133 fail2ban.actions: WARNING [asterisk-iptables] 76.76.96.74 already banned
...
2010-05-22 16:12:55,309 fail2ban.actions: WARNING [asterisk-iptables] 76.76.96.74 already banned
2010-05-22 16:12:56,311 fail2ban.actions: WARNING [asterisk-iptables] 76.76.96.74 already banned
2010-05-22 16:12:57,318 fail2ban.actions: WARNING [asterisk-iptables] 76.76.96.74 already banned
2010-05-22 16:12:58,321 fail2ban.actions: WARNING [asterisk-iptables] 76.76.96.74 already banned
2010-05-22 16:14:07,356 fail2ban.actions: WARNING [asterisk-iptables] Unban 76.76.96.74
There are about 40 attacks per second whereas fail2ban reacts in about one second intervals only by reporting "already banned".

Fail2ban added the IP also in the File /etc/hosts.deny

Why then hasn't the IP been blocked ?
Any suggestions/recommendations to get it working ?

Last edited by MET; 24th May 2010 at 15:57.
Reply With Quote
  #6  
Old 25th May 2010, 07:43
make-fun make-fun is offline
Member
 
Join Date: Jan 2008
Posts: 92
Thanks: 8
Thanked 8 Times in 7 Posts
Default

What is the output of
Code:
grep -h "Ban " /var/log/fail2ban.log* | awk '{print $5,$1}' | sort | uniq -c
Code:
grep -h "already banned" /var/log/fail2ban.log* | awk '{print $5,$1}' | sort | uniq -c
Code:
grep -h "Unban " /var/log/fail2ban.log* | awk '{print $5,$1}' | sort | uniq -c
Do they match?
Reply With Quote
  #7  
Old 25th May 2010, 08:12
Ben Ben is offline
Moderator
 
Join Date: Jul 2006
Posts: 1,029
Thanks: 7
Thanked 62 Times in 56 Posts
Default

For my understanding, hosts.allow / deny files are only for tcp wrappered app's which I assume asterisk not to be.

Why do you try to avoid using iptables?
Reply With Quote
  #8  
Old 25th May 2010, 11:13
MET MET is offline
Junior Member
 
Join Date: May 2010
Posts: 10
Thanks: 0
Thanked 0 Times in 0 Posts
Default

Quote:
Originally Posted by Ben View Post
Why do you try to avoid using iptables?
Because asterisk is on an externally hosted vserver where I do not have access to the root.
Reply With Quote
  #9  
Old 25th May 2010, 11:27
MET MET is offline
Junior Member
 
Join Date: May 2010
Posts: 10
Thanks: 0
Thanked 0 Times in 0 Posts
Default

Quote:
Originally Posted by make-fun View Post
What is the output of
Code:
grep -h "Ban " /var/log/fail2ban.log* | awk '{print $5,$1}' | sort | uniq -c
Code:
grep -h "already banned" /var/log/fail2ban.log* | awk '{print $5,$1}' | sort | uniq -c
Code:
grep -h "Unban " /var/log/fail2ban.log* | awk '{print $5,$1}' | sort | uniq -c
Do they match?
I'm not sure whether I understand these commands, but they didn't show anything on the CLI. It could also be that I made in the meantime a reload. After the attack I checked the files
host.deny this one was empty and host.allow contained the IP which attacked before. I interpreted this to be the result of the action command which unbaned with bantime = 600 the IP after 10 min.
Reply With Quote
  #10  
Old 27th May 2010, 03:28
make-fun make-fun is offline
Member
 
Join Date: Jan 2008
Posts: 92
Thanks: 8
Thanked 8 Times in 7 Posts
 
Default

Quote:
Originally Posted by MET View Post
I'm not sure whether I understand these commands, but they didn't show anything on the CLI. .
Where is your fail2ban logfile?
Code:
grep -h "Ban " /var/log/fail2ban.log* | awk '{print $5,$1}' | sort | uniq -c
Should return a list with number of BANs per day and what filter was hit -- like here with postfix:
Code:
    123 [postfix] 2010-05-16
    114 [postfix] 2010-05-17
     75 [postfix] 2010-05-18
     45 [postfix] 2010-05-20
    104 [postfix] 2010-05-21
    100 [postfix] 2010-05-22
    103 [postfix] 2010-05-23
     43 [postfix] 2010-05-24
This normaly a good way to see if and what's happening, as you can compare "Ban ", "already banned", "Unban ". If you got nothing there, fail2ban never's done anything for you--it seems.
Reply With Quote
Reply

Bookmarks

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
fail2ban is doing nothing? rlischer Server Operation 16 29th June 2010 07:29
Iptables gateway with one lan adapter tsmr Installation/Configuration 1 7th August 2008 12:02
IPtables rule to let PPTP access LAN brianwebb01 Installation/Configuration 0 1st May 2008 21:23
Match IP with MAC using iptables for squid block cooljai Server Operation 0 30th August 2007 18:30
About iptables rules satimis Technical 0 24th August 2007 17:32


All times are GMT +2. The time now is 14:54.


Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.